pool/rust-keylime
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 984413 from home:aplanas:branches:security

Browse Source 
- Update to version 0.1.0+git.1655384301.b834667:
  * Update fmf plans to run test with IMA policy
  * .github/dependabot.yml: prevent updates that require manifest change
- Add logrotate configuration for the agent service
- Requires libtss2-tcti-device0 to interact with the real device
- Drop legacy Python subpackage and feature
- Move conflicts into the Python version
- Drop CFSSL port from the keylime.xml firewalld rules

OBS-URL: https://build.opensuse.org/request/show/984413
OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=15
This commit is contained in:
Alberto Planas 2022-06-22 09:04:26 +00:00 committed by Git OBS Bridge
parent 25830373fa
commit e9611ec490
8 changed files with 42 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
_servicedata
View File

@ -1,4 +1,4 @@
<servicedata> <servicedata>
<service name="tar_scm"> <service name="tar_scm">
<param name="url">https://github.com/keylime/rust-keylime.git</param> <param name="url">https://github.com/keylime/rust-keylime.git</param>
<param name="changesrevision">7c4121ed6474f4bfacd5afe23488baf05bf49a09</param></service></servicedata> <param name="changesrevision">b834667b4d775065be3d7677e8cb6ad209c43668</param></service></servicedata>

1
keylime.xml
View File

@ -4,7 +4,6 @@
<description>Keylime is a remote attestation tool that requires access to several ports.</description> <description>Keylime is a remote attestation tool that requires access to several ports.</description>
<port protocol="tcp" port="443"/><!-- Webapp --> <port protocol="tcp" port="443"/><!-- Webapp -->
<port protocol="tcp" port="8881"/><!-- Verifier --> <port protocol="tcp" port="8881"/><!-- Verifier -->
<port protocol="tcp" port="8888"/><!-- CFSSL -->
<port protocol="tcp" port="8890"/><!-- Registrar --> <port protocol="tcp" port="8890"/><!-- Registrar -->
<port protocol="tcp" port="8891"/><!-- Registrar TLS --> <port protocol="tcp" port="8891"/><!-- Registrar TLS -->
<port protocol="tcp" port="8992"/><!-- Revocation --> <port protocol="tcp" port="8992"/><!-- Revocation -->

8
logrotate.keylime Normal file
View File

@ -0,0 +1,8 @@
/var/log/keylime/*.log {
su keylime tss
weekly
missingok
rotate 4
copytruncate
minsize 1M
}

3
rust-keylime-0.1.0+git.1655143451.7c4121e.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:93b11bb2a3c58028b23ee4ca1bf2286ee49fa3da25a3caf758bed81e4b7af96c
size 115220

3
rust-keylime-0.1.0+git.1655384301.b834667.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:cb272a91f71f4b197a28390da64a56319b45e9bf2878f31c8f700e1b2a6b8924
size 115404

16
rust-keylime.changes
View File

@ -1,3 +1,19 @@
-------------------------------------------------------------------
Wed Jun 22 08:45:20 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
- Update to version 0.1.0+git.1655384301.b834667:
* Update fmf plans to run test with IMA policy
* .github/dependabot.yml: prevent updates that require manifest change
- Add logrotate configuration for the agent service
- Requires libtss2-tcti-device0 to interact with the real device
- Drop legacy Python subpackage and feature
- Move conflicts into the Python version
-------------------------------------------------------------------
Wed Jun 15 09:52:48 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
- Drop CFSSL port from the keylime.xml firewalld rules
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Jun 14 11:05:01 UTC 2022 - aplanas@suse.com Tue Jun 14 11:05:01 UTC 2022 - aplanas@suse.com

39
rust-keylime.spec
View File

@ -18,7 +18,7 @@
%global rustflags '-Clink-arg=-Wl,-z,relro,-z,now' %global rustflags '-Clink-arg=-Wl,-z,relro,-z,now'
Name: rust-keylime Name: rust-keylime
Version: 0.1.0+git.1655143451.7c4121e Version: 0.1.0+git.1655384301.b834667
Release: 0 Release: 0
Summary: Rust implementation of the keylime agent Summary: Rust implementation of the keylime agent
License: Apache-2.0 AND MIT License: Apache-2.0 AND MIT
@ -28,6 +28,7 @@ Source1: vendor.tar.xz
Source2: cargo_config Source2: cargo_config
Source3: keylime_agent.service Source3: keylime_agent.service
Source4: keylime.xml Source4: keylime.xml
Source5: logrotate.keylime
# PATCH-FIX-OPENSUSE keylime.conf.diff # PATCH-FIX-OPENSUSE keylime.conf.diff
Patch1: keylime.conf.diff Patch1: keylime.conf.diff
BuildRequires: cargo BuildRequires: cargo
@ -36,47 +37,33 @@ BuildRequires: libarchive-devel
BuildRequires: rust BuildRequires: rust
BuildRequires: tpm2-0-tss-devel BuildRequires: tpm2-0-tss-devel
BuildRequires: zeromq-devel BuildRequires: zeromq-devel
Recommends: %{name}-python = %{version} Requires: libtss2-tcti-device0
Conflicts: keylime-agent Requires: logrotate
Conflicts: keylime-config
Conflicts: keylime-firewalld
Conflicts: python-keylime
ExcludeArch: %{ix86} s390x ppc64 ppc64le armhfp armv7hl ExcludeArch: %{ix86} s390x ppc64 ppc64le armhfp armv7hl
%description %description
Rust implementation of keylime agent. Keylime is system integrity Rust implementation of keylime agent. Keylime is system integrity
monitoring system. monitoring system.
%package -n %{name}-python
Summary: Shim loader for Python compatibility
Requires: %{name} = %{version}
Requires: python3-base
%description -n %{name}-python
Subpackage of %{name} for executing Python based revocation scripts.
%prep %prep
%autosetup -a1 -p1 %autosetup -a1 -p1
mkdir .cargo mkdir .cargo
cp %{SOURCE2} .cargo/config cp %{SOURCE2} .cargo/config
%build %build
RUSTFLAGS=%{rustflags} cargo build --release RUSTFLAGS=%{rustflags} cargo build --release --no-default-features --features "with-zmq"
%install %install
RUSTFLAGS=%{rustflags} cargo install --frozen --root=%{buildroot}%{_prefix} --path . RUSTFLAGS=%{rustflags} cargo install --frozen --root=%{buildroot}%{_prefix} --path .
install -Dpm 644 keylime.conf %{buildroot}%{_sysconfdir}/keylime.conf install -Dpm 644 keylime.conf %{buildroot}%{_sysconfdir}/keylime.conf
install -Dpm 644 %{SOURCE3} %{buildroot}%{_unitdir}/keylime_agent.service install -Dpm 644 %{SOURCE3} %{buildroot}%{_unitdir}/keylime_agent.service
install -Dpm 644 %{SOURCE4} %{buildroot}%{_prefix}/lib/firewalld/services/keylime.xml
install -D -m 644 %{SOURCE4} %{buildroot}%{_prefix}/lib/firewalld/services/keylime.xml install -Dpm 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/logrotate.d/keylime
install -d %{buildroot}%{_localstatedir}/log/keylime
# Create work directory # Create work directory
mkdir -p %{buildroot}%{_sharedstatedir}/keylime mkdir -p %{buildroot}%{_localstatedir}/keylime
# Create work directory for revocation actions
mkdir -p %{buildroot}%{_libexecdir}/keylime
cp tests/actions/shim.py %{buildroot}%{_libexecdir}/keylime
rm %{buildroot}%{_prefix}/.crates.toml rm %{buildroot}%{_prefix}/.crates.toml
rm %{buildroot}%{_prefix}/.crates2.json rm %{buildroot}%{_prefix}/.crates2.json
@ -100,14 +87,12 @@ rm %{buildroot}%{_prefix}/.crates2.json
%{_bindir}/keylime_agent %{_bindir}/keylime_agent
%{_bindir}/keylime_ima_emulator %{_bindir}/keylime_ima_emulator
%config(noreplace) %{_sysconfdir}/keylime.conf %config(noreplace) %{_sysconfdir}/keylime.conf
%dir %attr(0700, root, root) %{_sharedstatedir}/keylime %dir %attr(0700,root,root) %{_localstatedir}/keylime
%dir %{_prefix}/lib/firewalld %dir %{_prefix}/lib/firewalld
%dir %{_prefix}/lib/firewalld/services %dir %{_prefix}/lib/firewalld/services
%{_prefix}/lib/firewalld/services/keylime.xml %{_prefix}/lib/firewalld/services/keylime.xml
%{_unitdir}/keylime_agent.service %{_unitdir}/keylime_agent.service
%config(noreplace) %{_sysconfdir}/logrotate.d/keylime
%files -n %{name}-python %dir %attr(750,keylime,tss) %{_localstatedir}/log
%dir %{_libexecdir}/keylime
%{_libexecdir}/keylime/shim.py
%changelog %changelog

4
vendor.tar.xz
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1 version https://git-lfs.github.com/spec/v1
oid sha256:1fe478492e83ec8393af64f6a91ec4e84b865cf019c35df48d7f9782c4239672 oid sha256:0e4b91a6bff3824b1f58ff875102020400e200b4d4baa68c0b175bc0ee96f77d
size 20105032 size 20113908